(fixed) bad cache hit (eduftcdnsp01.ed.gov/DS)
Thanks to everyone who replied on and off list, my first dnssec related problem and no self confidence. :-) They got it fixed yesterday evening and working OK again. have a great weekend! jim On Fri, 27 May 2011 15:09:39 -0400 Jim Glassford jmgl...@iup.edu wrote: Hi, Running BIND 9.7.0-P2 Is this just me or other seeing this? Starting today got reports of unable to reach some student ad sites such as studentloans.gov # dig eduftcdnsp01.ed.gov ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46012 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; Query time: 550 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:06:00 2011 ;; MSG SIZE rcvd: 37 ~in dnssec log file; 27-May-2011 15:06:00.097 dnssec: info: validating @0x7ff40c023520: eduftcdnsp01.ed.gov A: bad cache hit (eduftcdnsp01.ed.gov/DS) With the checking disabled; # dig eduftcdnsp01.ed.gov +cd ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov +cd ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11700 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; ANSWER SECTION: eduftcdnsp01.ed.gov.3539IN A 148.9.101.50 ;; AUTHORITY SECTION: ed.gov. 2777IN NS eduptcdnsp01.ed.gov. ed.gov. 2777IN NS eduptcdnsp02.ed.gov. ed.gov. 2777IN NS eduftcdnsp02.ed.gov. ed.gov. 2777IN NS eduftcdnsp01.ed.gov. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:07:01 2011 ;; MSG SIZE rcvd: 148 thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
? bad cache hit (eduftcdnsp01.ed.gov/DS)
Hi, Running BIND 9.7.0-P2 Is this just me or other seeing this? Starting today got reports of unable to reach some student ad sites such as studentloans.gov # dig eduftcdnsp01.ed.gov ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46012 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; Query time: 550 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:06:00 2011 ;; MSG SIZE rcvd: 37 ~in dnssec log file; 27-May-2011 15:06:00.097 dnssec: info: validating @0x7ff40c023520: eduftcdnsp01.ed.gov A: bad cache hit (eduftcdnsp01.ed.gov/DS) With the checking disabled; # dig eduftcdnsp01.ed.gov +cd ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov +cd ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11700 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; ANSWER SECTION: eduftcdnsp01.ed.gov.3539IN A 148.9.101.50 ;; AUTHORITY SECTION: ed.gov. 2777IN NS eduptcdnsp01.ed.gov. ed.gov. 2777IN NS eduptcdnsp02.ed.gov. ed.gov. 2777IN NS eduftcdnsp02.ed.gov. ed.gov. 2777IN NS eduftcdnsp01.ed.gov. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:07:01 2011 ;; MSG SIZE rcvd: 148 thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ? bad cache hit (eduftcdnsp01.ed.gov/DS)
On Fri, May 27, 2011 at 12:09 PM, Jim Glassford jmgl...@iup.edu wrote: Starting today got reports of unable to reach some student ad sites such as studentloans.gov There are problems with this and related sites. Specifically RRSIGs are not being returned with some RRsets, resulting in a broken chain of trust and a bogus validation status: http://dnsviz.net/d/studentloans.gov/dnssec/ http://dnsviz.net/d/eduftcdnsp01.ed.gov/dnssec/ There's been some effort through this list and other DNS lists to contact the DNS admins of these sites and make them aware of the problems, so they can be resolved. Regards, Casey ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ? bad cache hit (eduftcdnsp01.ed.gov/DS)
Hi Jim, We are seeing the same thing. The problem is an incorrectly signed zone (missing RRSIG records) at ed.gov. See: http://dnssec-debugger.verisignlabs.com/www.ed.gov http://dnsviz.net/d/www.ed.gov/dnssec/ cv On Fri, May 27, 2011 at 12:09 PM, Jim Glassford jmgl...@iup.edu wrote: Hi, Running BIND 9.7.0-P2 Is this just me or other seeing this? Starting today got reports of unable to reach some student ad sites such as studentloans.gov # dig eduftcdnsp01.ed.gov ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 46012 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; Query time: 550 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:06:00 2011 ;; MSG SIZE rcvd: 37 ~in dnssec log file; 27-May-2011 15:06:00.097 dnssec: info: validating @0x7ff40c023520: eduftcdnsp01.ed.gov A: bad cache hit (eduftcdnsp01.ed.gov/DS) With the checking disabled; # dig eduftcdnsp01.ed.gov +cd ; DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 eduftcdnsp01.ed.gov +cd ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 11700 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0 ;; QUESTION SECTION: ;eduftcdnsp01.ed.gov. IN A ;; ANSWER SECTION: eduftcdnsp01.ed.gov. 3539 IN A 148.9.101.50 ;; AUTHORITY SECTION: ed.gov. 2777 IN NS eduptcdnsp01.ed.gov. ed.gov. 2777 IN NS eduptcdnsp02.ed.gov. ed.gov. 2777 IN NS eduftcdnsp02.ed.gov. ed.gov. 2777 IN NS eduftcdnsp01.ed.gov. ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:07:01 2011 ;; MSG SIZE rcvd: 148 thanks! jim ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users